Dec 29, 2010 11:16 AM|Mikesdotnetting|LINK
If you store the file in a folder under the Root directory of the site, there is always the possibility that someone will guess the URL and browse to it. You need to store your files in a non-browsable location such as App_Data, or outside the root of your
site. Then you can use a cshtml file to authenticate the user before streaming the file using the code above.
The general idea (although this example uses an HttpHandler instead of a cshtml file) can be got here: